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ETAILED ACTION 

1 . The Amendment, and remarks therein, received on 7/30/07 have been entered and 
carefully considered. 

2. The Amendment introduced a new limitation into claims 6-7, 11-13, 17-18 and 20- 
21. Claims 10, 14-16 and 19 were cancelled and a new claim 22 was added. 

3. The newly introduced limitations (claims 17-18, 20-22) have required a new search 
and consideration of the pending claims. The new search has resulted in newly 
discovered prior art. New grounds of rejection based on the newly discovered prior 
art follow below. 

4. The text of those sections of Title 35, U.S. Code not included In this action can be 
found in a prior office action. 

Response to Amendment 

5. The amended Fig. 1 to identify the disclosure as a prior art has been accepted. 

6. The added features to Fig. 4 do not correlate to any of the previously drawn objects 
and as a result Fig. 4 is ambiguous. Note that the added features are to address 
particular limitations of claim 6-7 which incorporate the limitation of claim 1 
represented by the original Fig. 4. However, the newly added features to Fig. 4 do 
not depend on the originally presented features. 

In other words, although applicant added features to the original Fig. 4 in order to 
clarify (articulate) the claimed limitations, the new Fig. 4 is at least as ambiguous as 
the original one. 
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As applicant corrects the figure in order to clearly identify the relationship to other 
objects in Fig. 4, applicant should provide support in the original specification. 
Similarly, if applicant decides to present objects 426 and 428 as a separate figure it 
must be clear how this figure relates to the subject matter disclosed in other figures. 
Disclosing such a relationship in the specification would be satisfying. However, if 
applicant decides to choose this route, applicant should point to the specification 
where such a support exist since, as mentioned above, the examiner was not able to 
find a discussion related to newly presented objects 426 and 428. 

7. As per claim 1, 9 and 17-21, applicant argues that neither Doyle nor Sawada 
disclose "comparing the first source IP address and MAC address pair with 
information in a table which stores source IP address and MAC address pair and 
passing the received first data packet through the port when the pair is found in the 
table. 

From applicants remarks it appears that applicant attempts to differentiate Doyle's 
disclosure from applicant's invention by pointing to two-stage lookup into a table to 
detect spoofed packets. 

8. The examiner points out that applicant's remarks indicate only that Doyle's 
disclosure includes more steps than applicant invention. Since Doyle discloses the 
required steps and the claim language uses the term "comprising" rather than 
"consisting", and applicant's allegation to Doyle's shortcoming regarding claim 1 is 
faulty. 
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9. Doyle clearly discloses steps recited in claim 1 in Fig. 5 and shown in col. 9 lines 10- 
26. Although, col. 9 lines 10-26 does not explicitly recite "table", the data must be in 
order to determine if the MAC address is bound to the source IP address the 
structure correlating these two elements must be in place, and in case of Doyle's 
invention the structure used to correlate elements is a table (see col. 10 lines 45-48, 
col. 11 lines 50-55 and col. 12 lines 5-10). 

1 0. As per claim 5, applicant argues that nothing suggests that the table inherently must 
be stored in an access control list of a content addressable memory and provides an 
example of DRAM as a support to applicants statement. 

Applicant's argument is not found persuasive. The examiner points out that in order 
for a computer to be able to operate on content, the content must be stored in 
memory and content (in particular content stored in memory) is referenced by 
content address. Thus, the content (e.g. access control list content) must be stored 
in a memory storing content, and in order for the content to be stored/retrieved the 
memory must have addresses at which the content may be referred to. Thus, the 
computer must comprise content addressable memory where the content (e.g. 
access control list) is placed to implement particular tasks requiring the content. 
1 1 .iAs per claim 3, applicant argues that performing a reverse IP check request is 
substantially different from a reverse ARP disclosed by Whelan. However, the 
examiner did not find the support for applicant's allegation neither in Remarks nor in 
the claim language. 
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12. In paragraph 36, Whelan explicitly discloses performing a reverse IP check (RARP) 
in order to verify an IP address corresponding to a device. 

13. Claims 1-9, 11-13, 17-18 and 20-22 have been examined. 

Drawings 

14. The drawings remain objected. See response to the Amendment, above. 

Claim Rejections -35USC§112 
The following Is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

15. Claim 18 is rejected under 35 U.S.C. 112, first paragraph, as failing to comply with 
the written description requirement. The claim(s) contains subject matter which was 
not described in the specification in such a way as to reasonably convey to one 
skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

Not only the original specification does not suggest that " the processor includes a 
content addressable memory and wherein the table is stored in an access control list 
of the content addressable memory" but in fact, the specification contradicts the 
recited limitation: see Fig. 2 and associated text. 
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Claim Rejections - 35 USC § 102 

16. Claims 1-2, 4-5 remain rejected under 35 U.S.C, 102(e) as being anticipated by 
Doyle (U.S. Patent No. 7134012). 

As per claim 1, Doyle discloses a network device comprising a port (e.g. Fig. 1), 
receiving a first data packet on the port (Fig. 5, step 500); determining a first MAC 
address for the received first data packet; determining a first source IP address for 
the received first data packet, wherein the first source IP address for the received 
first data packet and the first MAC address for the received first data packet form a 
first source IP address and MAC address pair (Fig. 5, step 510), comparing the first 
source IP address and MAC address pair with information in a table which stores 
source IP address and MAC address pairs (Fig. 5, Step 530, Table 2 and col. 9 lines 
19-28, for example. Note that Doyle discloses similar teaching in Fig. 6, 7 etc.). 

17. As per claim 2, Doyle discloses receiving a second data packet on the port, 
determining if a second MAC address for second data packet is a new MAC address 
and when the second MAC address for the received second data packet is 
determined to be a new MAC address, learning the source IP address for the 
second MAC address, wherein the second MAC address and the learned soured IP 
address form a second IP address and MAC address pair and storing the second IP 
address and MAC address pair in the table (col. 9 lines 44- 64). 

18. As per claim 4, Doyle disclose learning the source IP address for the new received 
MAC address, wherein the learning of the source IP address utilizes at least on of 
the processes selected from the following group of processes: (1) using a reverse 
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address resolution protocol. (2) listening to a DHCP response packet; (3) watching 
for a IP header information in a data packet and (4) listening to ARP requests and 
ARP reply messages (col. 3 lines 46-54); and storing the new IP/MAC address pair 
in the table (col. 3 lines 52-54, Table 2. col. 7). 

19. As per claim 5, the table reads on Access Control List (it is used to filter data) and in 
order for the device to access the entries, the table inherently must be stored in a 
content addressable memory. 

Claim Rejections - 35 USC § 102 or 103 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that - 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

20. Claims 11-13, 17-18, and 20-22 are rejected under 35 U.S.C. 102(a) as anticipated 
by or, in the alternative, under 35 U.S.C. 103(a) as obvious over Rayes (USPN 
7234163). 

As per claims 17 and 20-22, Rayes discloses a network device (130, for example) 
for use in a computer network having a plurality of hosts (104 A-B) each host having 
a MAC address (Fig. 1 and associated text), the network device comprising a 
plurality of ports (e.g. 137 A-B), a MAC detector which operates to identify a source 
MAC address for data packet received at a first port of the plurality of ports and a 
source IP address detector which operates to identify a source IP address for the 
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data packet, wherein the source IP address for the data packet and the source IVIAC 
address for the data packet form a source IP address and MAC address pair (col. 7 
lines 35-45 and col. 7 line 63- col. 8 line 3, for example), 

Rayes discloses that the device compares the source IP address and MAC address 
pair with information in a table, which stores a plurality of source IP address and 
MAC address pairs (NMS database, for example) and 

Although Rayes does not explicitly disclose passing the data packet through the first 
port when the source IP address and MAC address pair is found in the table, the 
limitation is implicit. Not only Rayes suggests to "proceed normally" when the match 
is found (Fig. 4A), but also Rayes disclose that the table is to keep valid IP/MAC 
address pairs and it is used to identify spoofing attacks, wherein spoofing is 
determined in case the received IP/MAC address pair is not the same as found in 
the table (see Fig. 4 A-C and associated text), which results in the network device 
preventing sending or receiving packets on the port the port from which the spoofed 
attack is determined (col. 9 lines 31-46). 

Furthermore, although, Rayes does not explicitly disclose that the above steps are 
implemented by a processor in the device, the examiner points out that computer 
network devices utilize processors to implement computer functionalities. 
Additionally, Rayes suggest to use a computer system 500 to implement the 
invention (col. 10 lines 1-19). System 500 comprises a processor (see Fig. 5 and 
associated text). 
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As per claim 18, Rayes does not explicitly disclose that the processor includes a 
content addressable memory and wherein the table is stored in an access control list 
of the content addressable memory. 

However, the table (ARP as well as NMS database (the database is a 
multidimensional table) used in determination of whether allow or disallow 
communication) reads on the access control list and it can be stored in the device 
(e.g. col. 3 lines 63-65 and col. 7 lines 32-34). As pointed out in the responds to 
amendments, computers access (operate on) content using addresses. Similar to 
intuitive memory (e.g. RAM, ROM, non-volatile memory such as HD, etc.) a 
processor comprises memory that stores data content that is store/retrieved using 
addresses. This memory (addressable content memory) enables the processor to 
access and operate on content. 

21. As per claims 11-12, Rayes an ordinary artisan would readily recognize that DCHP 
packets that are received at (and passed through) the port, and stored in the table 
(col. 3 line 46- col. 6 line 9, for example) may come at any time, not only as a first 
but a second or third packet. Furthermore, an ordinary artisan would readily 
recognize that with a maximum number of source IP addresses assigned for the 
port, an additional value would not be accepted. 

22. The limitations of claim 13 are implicit. No match of a packet's MAC/IP pair with 
entries in, the table indicate possible spoofed packet, and in particular when the 
MAC/IP pair is determined to not be stored in the table (e.g. due to the maximum 
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h umber of source IP addresses already assigned access through the port) the 
packet would not be considered to be ready for passing. 

23. Claims 6-8 remain rejected under 35 U.S.C. 103(a) as being unpatentable over 
Doyle (U.S. Patent No. 7134012) in view of Official Notice. 

Doyle discloses filtering network packets received on ports. 

24. Also, as per claim 8, Doyle does not explicitly disclose an administrator selecting the 
maximum number of source IP addresses. 

Official Notice is taken that configuring computers by administrators (e.g. determine 
selection of values, e.g. ports) is old and well-known practice in the art of computing 
(e.g. DHCP scope administration). One of ordinary skill in the art at the time of 
applicant's invention would have been motivated to allow administrators to configure 
computers giving the benefit of network customization. 

25. As per claims 6-7, Doyle does not disclose determining and removing the source IP 
address from the table when it is determined that the device having the IP address is 
no longer coupled to the port. 

Any data structure, including tables, have a finite size and as a result, a finite 
amount of data can be stored in the structure. Furthermore, an ordinary artisan in 
the art of computer science would recognize increasing amount of data to be 
searched increases search time. 

Lastly, monitor activity of computer processes, including network connections and 
terminate inactive activities is well known in the computer science (e.g. U.S. Patent 
No. 6338089). 
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Thus, removing a source IP address, of a device not coupled to the port, from the 
table would have been obvious to an ordinary artisan given the benefit of system's 
efficiency. 

26. Claim 3 remain rejected under 3.5 U.S.C. 103(a) as being unpatentable over Doyle 
(U.S. Patent No. 7134012) in view of Whelan (U.S. Pub. No. 20040003285). 
Doyle disclosure has been discussed supra. 

Doyle does not disclose performing a reverse IP check to confirm the learned source 
IP address. 

Whelean discloses performing a reverse IP check to confirm the IP address 
(Whelean [0036]). It would have been obvious to one of ordinary skill in the art at 
the time of applicant's invention to perform a reverse IP check to confirm the IP 
address; One of ordinary skill in the art would have been motivated to perform such 
a modification in order to identify rogue access (Whelean [0036]). 

27. Claim 9 remains rejected under 35 U.S.C. 103(a) as being unpatentable over Doyle 
(U.S. Patent No. 7134012) in view of Sawada (U.S. Pub. No. 6907470). 

Doyle discloses a network device as discussed supra. 

28. Doyle does not explicitly disclose that the network device comprise a plurality of 
ports. 

Sawada discloses a network device with a plurality of ports (e.g. Sawada, router in 
Fig. 13 and col. 1 1 line 65-col. 12 line 6). ■ 
It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to incorporate a plurality of ports as taught by Sawada. One of ordinary 
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skill in the art would have been motivated to perform such a modification in order to 
freely connect users from different subnets. 

29. Doyle in view of Sawada do not disclose receiving input from a system administrator 
which selects ports of the plurality of port will be provided based on a source IP 
address and MAC address pair contained in a data packet. 

Official Notice is taken that configuring computers by administrators (e.g. determine 
selection of values, e.g. ports) is old and well-known practice in the art of computing 
(e.g. DHCP scope and firewall administration). One of ordinary skill in the art at the 
time of applicant's invention would have been motivated to allow administrators to 
configure computers giving the benefit of network customization, 

30. Claims 11-13 are rejected under 35 U.S.C. 103(a) as obvious over Rayes (USPN 
7234163). 

Rayes a network device comprising ports receiving data packets on ports, 
comparing MAC/IP address pair within the received data packets with MAC/IP pairs 
stored within a table, passing the data packet if the match is found and blocking if it s 
not, as discussed above. Also discussed above were Rayes' DCHP packets, which 
read on a second data packet with a second source IP and MAC addresses stored 
in the table. 

31 .The examiner points out that even if a DCHP packet were not to be considered as a 
second data packet, verifying entries not found in a structure (e.g. a table) and 
updating the structure with found information, (providing that a maximum value has 
not been reached for particular entries) is old and well known in the art of computer 
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science (routing tables, DHCP, MAC/IP address pair in a computer caclie, etc.). It 
would have been obvious to one of ordinary sl<ill in the art at the time of applicant's 
invention to store the second source IP address and the second MAC address not 
found in the table and received in a second data packet on the port (upon 
obtaining/verifying the updated information) giving the benefit of updating the table 
information for more accurate and efficient incoming data packet processing. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 

CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TVyO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communicafion or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571) 272- 
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3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-381 1. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866t2 17-9 197 (toll-free). 
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